One may wonder whether there are some potential security concerns regarding intranet web servers. The answer is globally "yes", depending on the context, and at least the following in most cases:
- First of all, please note that internal machines, connected through VPN (mobility) can somewhat be considered as external ones (Internet machines), in terms of security risks: they may be more commonly compromised because they can most of the time access Internet with less security controls (compared to machines within the LAN) - eg: HTTP split tunneling for VPN.
- Second, if the web server can be accessed from outside (Internet) as well as from inside (intranet), then it may be used to create like an attack gateway, and further compromise internal machines. This is a quite common scenario we see in incident response.
- Third and worst scenario is when users will be allowed at some point to upload/modify content hosted on the web server: that content has to be secured/checked. For instance, malicious content may be inserted into the web server content (like links to exploitation codes, etc.), and then be transparently/automatically accessed by any clients browsing the web server.

Thus, to mitigate the risks, here are a few steps, specific to web servers:

1. Identify the network flow, in terms of requests: if you know the regular network flow the server is supposed to receive and send, then you can allow and check (content/requests inspection) them, while other traffic/flow would be denied by default (by Firewall). This is a network isolation measure, that will reduce the risk of a malware spread (or a successful intrusion getting deeper into the production network)
2. Make sure there is no way to directly request your web server, bypassing security filtering layers.
3. Make sure your DMZ has no possibility to directly access your LAN with "source to any"-like rule (firewall/routers rules to be double-checked).
4. Deploy Network Intrusion Detection system, that will detect/block malicious network requests. You might want to have a look at the MAPP to find a Microsoft partner (www.microsoft.com/security/mapp/ )
5. Deploy a WAF (Web Application Firewall) as a front-end of the web server. This will allow to harden the requests control, and tighten the filter to match the specificities of the web application. ModSecurity for IIS (see: http://www.modsecurity.org/) could be an example of such a solution, or any other one from the MAPP program. We also recommend you to consider deploying URLscan (http://www.iis.net/learn/extensions/working-with-urlscan ) to secure URL, data inputs, and protect against code injection (http://www.iis.net/learn/extensions/working-with-urlscan/common-urlscan-scenarios )
6. Create a back-up of web server data, on a regular basis.
7. Follow security best practices for ASP.Net code, to protect against code injection: http://msdn.microsoft.com/en-us/magazine/hh580736.aspx and SQL injection: http://msdn.microsoft.com/en-us/library/ms161953(SQL.105).aspx. From a more global point of view, please refer to SDL: http://msdn.microsoft.com/en-us/security/aa570401.aspx. Audit the hosted code on a regular basis.
8. Harden cyphered network communications as much as possible, taking into account the available implementations of SSL/TLS on the Windows systems you are running: http://blogs.msdn.com/b/benjaminperkins/archive/2011/10/07/secure-channel-compatibility-support-with-ssl-and-tls.aspx . By default, our recommandation is TLS 1.1/1.2. Please keep in mind this has to be enabled on both client and server side.
9. Implement white/blacklisting of applications, through AppLocker for example: http://technet.microsoft.com/en-us/library/ee791890(v=ws.10).aspx
10. Follow security best practices for application layer products, database layer ones, and web server layer.

NB : If you wish to enhance tne network isolation (DMZ-like), and if the WAF is not able to provide itself network isolation (clients / server), you might want to deploy a reverse proxy as a front-end of the web server. Forefront UAG could be an example of such a solution, or any other one from the MAPP program.


But there are also other security best practices that we do recommend you to consider, even for this web server scenario:

- Antivirus running on ALL connected machines, fully up to date. SCCM could be helpful for such a task (inventory, deployment, policies enforcement...)
- Deploy all applicable security fixes on the server, on a regular basis (and also inventory all installed software that could require to be updated). SCCM could be helpful for such a task (inventory, deployment, policies enforcement...)
- Enforce Internet access security through HTTP proxy filtering.
- Consider deploying 64 bits systems in priority over those 32 bits, because 64 bits Windows systems embed more security features by default compared to their 32bits equivalent. Note that for instance, ASLR is said to be more efficient on 64bits systems, and DEP is hardware assisted on those platforms (starting with Vista).
- Messaging filtering (MTA/MDA). FOPE, FPE could be examples, or you might want to have a look at the MAPP partners list:  www.microsoft.com/security/mapp/
- Protect applications against vulnerabilities exploitation with DEP, ASLR (if applicable). The EMET tool might be helpful to identify application compatible and not compatible with those security enhancements. See: http://support.microsoft.com/kb/2458544
- Lower privileges that users have locally: they should not be local admin if they don't really need to be (very dangerous because malwares will spread quite easily and may take complete control of machines)
- Implement network isolation, for instance NAP, at least for critical assets and infrastructure servers:  http://technet.microsoft.com/library/cc512682.aspx
- Use double factor athentication for privileged accounts, such as domain admin accounts (but also accounts having the SeDebug right)
- Enable Network Level Authentication: http://technet.microsoft.com/en-us/library/cc732713.aspx
- Harden local admin passwords, above all if you deploy Windows thanks to operating system images techniques: http://social.technet.microsoft.com/wiki/contents/articles/13217.best-practices-and-tricks-to-protect-local-admin-passwords-at-a-large-scale-en-us.aspx

- use IPSec at least for critical application servers, and between domain controlers (AD replication, etc):
http://technet.microsoft.com/en-us/library/deploy-ipsec-firewall-policies-step-by-step(v=ws.10).aspx

- offline scans of antivirus runs, after a compromise and on a regular basis (sensitive machines). Here is an implementation example made of SCCM and System Sweeper:
http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/launching-a-windows-defender-offline-scan-with-configuration-manager-2012-osd.aspx

- [if the server uses any AD ressource/service] Secure/audit Active Directory:
http://technet.microsoft.com/en-us/library/bb727065.aspx &
http://technet.microsoft.com/en-us/library/bb727066.aspx
Audit: http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

- [if the server uses any AD ressource/service] monitor domain user accounts activity: http://social.technet.microsoft.com/wiki/contents/articles/11302.clarifying-things-regarding-domain-account-password-and-lockout-policy-operational-monitoring.aspx

Then please consider following specific security guides/best practices to harden and maintain systems:
-----------------------------------------------------------------------------

- Win server 2008 Security guide (and features): http://technet.microsoft.com/en-us/library/dd548350(v=ws.10).aspx
- IIS security guide: http://technet.microsoft.com/fr-fr/library/dd450371(v=ws.10).aspx
- MS SQL Server 2008 R2 Security best practices: http://download.microsoft.com/download/1/2/A/12ABE102-4427-4335-B989-5DA579A4D29D/SQL_Server_2008_R2_Security_Best_Practice_Whitepaper.docx
- Sharepoint Server (2010) security guide: http://technet.microsoft.com/en-us/library/cc263215.aspx

- Win 2008 R2 Performance tunning: http://msdn.microsoft.com/en-us/windows/hardware/gg463392.aspx

We hope this helps.